Last week a new member registered with multiple identities with the intention of exploiting our Personal messaging system to mass send spam emails to members.
The Personal Messages contained the following information
Spam Personal Message 1
Please help
Spam Personal Message 1
Hey, See this very very funny picture))))
Both linked to a Russian website with bad intentions.
IF YOU RECEIVE ONE OF THESE PERSONAL MESSAGES PLEASE DELETE IT AND REPLY TO HIS THREAD WITH THE DETAILS OF WHO SENT IT TO YOU AND WHAT THE PM CONTAINED.
To prevent such things I already have set the forum permissions (a long time ago) so that members need to make 10 posts before having access to the pm system. The trouble is this new member made 10 posts of rubbish in minutes and then gained access to the PM system.
Initially I just deleted the posts and account, but did not ban the ip address. When our friend returned again under a different name I noticed the ip address was the same. I also ran a search for other member accounts with the same ip address and I found another three accounts. Anyway the ip address is now banned and the accounts all deleted.
When I looked into this further I found this exploit was known by the people who make the forums software and they released a patch within hours. I have installed this patch already. More details here.
http://forums.invisi...ip-board-2-3-6/
So the actions of banning the member accounts and ip address along with the fact that the pm system now has flood control that will only allow a member to send 1 pm every 30 minutes, basically means now if someone signs up to spam they will first have to make 10 posts and then will only be able send one pm every 1/2 an hour. Hardly the ideal platform for mass spamming
I think the spammer managed to send about 15 Personal Messages in all. If you were affected by this attack please accept my sincere apologies and be assured that we are aware and have taken immediate corrective action to prevent a recurrence.
Regards,
Simon